Telephone: (781) 609-7741 | Fax: (888) 705-8053 | Email: info@pdmpassist.org | Website: www.pdmpassist.org

RxCheck Connection Technical Assistance Guide

This Technical Assistance Guide (TAG) is intended to provide PDMP Administrators with

information on how to connect to the RxCheck Hub to share information across state

prescription drug monitoring programs (PDMPs). The RxCheck Hub was designed with the

involvement of the PDMP community, private industry, and the federal government to enable a

nationwide capability for the timely, secure exchange of prescription information.

Status of the RxCheck Hub

The RxCheck Hub is operational and ready to support real-time data exchange between

PDMPs. The system’s infrastructure has been tested and validated, and includes the latest

design improvements identified since its inception. The RxCheck Hub will be maintained by

the IJIS Institute with oversight from the RxCheck Governance Body. Information on costs

can be obtained from the IJIS Institute.

Establishing Connectivity to the RxCheck Hub

Prior to connecting to the RxCheck Hub, a PDMP must first meet the following criteria:

at least one other state to serve as an exchange partner

enabling legislation to engage in interstate operability

a Memorandum of Understanding (MOU) governing data sharing among partners

Contacts for Technical Assistance

IJIS Institute Donald Gabbin (703) 726-3647 Donald.gabbin@ijis.org

Telephone: (781) 609-7741 | Fax: (888) 705-8053 | Email: info@pdmpassist.org | Website: www.pdmpassist.org

History

The National Drug Control Strategy of 2010, issued by the White House Office of

National Drug Control Policy, identified the need to establish data linkages between

PDMPs as a national priority. Data sharing among PDMPs permits cross-state tracking of

patients’ prescription history, suspected doctor-shopping, prescription fraud, and

prescribing trends. In response, the Bureau of Justice Assistance (BJA), with project

management and acquisition support from the IJIS Institute, and in collaboration with

PDMPs, developed the Prescription Monitoring Information Exchange (PMIX) National

Architecture. The PMIX National Architecture was developed as a direct response to the

concerns and needs expressed by states who were members of the BJA/IJIS PDMP

Committee. While the PMIX National Architecture was being developed, the RxCheck

Hub was developed to implement the PMIX National Architecture and deliver a

functional interstate data sharing hub. Additional information about the PMIX National

Architecture can be found on the PDMP Training and Technical Assistance Center’s

(TTAC) website.

Telephone: (781) 609-7741 | Fax: (888) 705-8053 | Email: info@pdmpassist.org | Website: www.pdmpassist.org

Interface Connection Options

Overview

The PDMPs’ technical management team should first review the PMIX Service

Specification Package, in particular the Service Description Document (SDD), which

describes the basic functions comprising the information sharing attributes of the

service. The technical team will then need to consider the PMIX RxCheck connection

options and determine the option that best suits their environment. The following

diagram depicts the two PMIX RxCheck connection options.

Figure 1: PMIX Connection Options

PMIX

State Routing

Service (SRS)

PMIX

RxCheck Hub

Option 1: PDMP system

uses a trusted web service

connection to a PMIX SRS.

Secure

Web Service

Trusted

Web Service

PDMP

O

C

PDMP

O

C Secure

Web Service

Option 2: PDMP system implements

the secure web service connection

directly with the RxCheck Hub.

X.509 cert ificates required

for advanced message level

security.

The SRS handles all

X.509 cert ificate based

message level security

Telephone: (781) 609-7741 | Fax: (888) 705-8053 | Email: info@pdmpassist.org | Website: www.pdmpassist.org

Option1: PMIX SRS

Option 1, as shown in the Figure 1 diagram, involves a state PDMP system connecting to

the PMIX RxCheck Hub via the PMIX State Routing Service (SRS). The PMIX SRS enables

PDMPs to “offload” PMIX functionality such as PMIX compliant service hosting,

request/response message validation, role-based site authorization and full message

routing. In addition, the PMIX SRS handles all X.509 certificate-based message

encryption/decryption involved in communicating over the PMIX secure web service

interface. The PMIX SRS has been certified via the PMIX Springboard Conformance Test

process, therefore the interface and corresponding functionality is guaranteed to

interoperate with the RxCheck Hub. For additional information regarding the Option 1

connection specification, refer to the PMIX Service Specification Package (SSP) Trusted

SIDD (PMIX_SIDD_WS_Trusted_v_1.1.0).

Option 2: Custom Proxy

Option 2, on the other hand, affords a PDMP greater flexibility to develop their own

proxy interface service using their native platform and technology. A custom proxy

interface must comply with all requirements documented in the service interface

specification, including web service communication using WS-Security message-level

encryption. For additional information regarding the Option 2, custom proxy,

connection specification, refer to the PMIX Service Specification Package (SSP) Secure

SIDD document (PMIX_SIDD_WS_Secure_v_1.1.0).

Note: The PMIX SSP includes several reference implementations, for various Java

platforms, which provide broad programmatic guidance in the form of functional

software.

Telephone: (781) 609-7741 | Fax: (888) 705-8053 | Email: info@pdmpassist.org | Website: www.pdmpassist.org

Getting Started Procedures

The steps listed below are intended to provide PDMP technical staff with general guidance

which serves to augment the information contained in the PMIX SSP documentation. Please

note that implementation may vary depending upon a PDMP’s computer system. The IJIS

Institute is available to provide technical assistance as needed.

Step 1: Software Installation (Option 1 only)

Install the latest version of the .NET Framework

Install the latest version of the PMIX State Routing Service

Install & configure Windows IIS Server Role

Install the latest version of the PMIX Admin Console

Install the latest version of the PMIX RAS Service

Bind the security certificate to the SRS HTTP endpoint

o i.e. netsh http>add sslcert ipport=0.0.0.0:18802 certhash=8…2 appid={8…2}

Establish a PMIX SRS Directory Structure:

o Dedicated, standalone LDAP:

Install Microsoft ADLDS

Setup a new ADLDS instance

Instance name should be: CN=PMIX,DC=rxcheck,DC=org

Run the LDAP scripts provided with the SRS software

o Existing, Enterprise LDAP:

Run the LDAP scripts provided with the SRS software

Configure the PMIX SRS LDAP Directory Service

o Communication Endpoints

RxCheck Hub

PDMP System

o Message Filtering

o Role-based Site Authorization

Telephone: (781) 609-7741 | Fax: (888) 705-8053 | Email: info@pdmpassist.org | Website: www.pdmpassist.org

Step 2: Network Preparation

Configure and validate network connectivity between the State Routing Service

(Option 1) or the Custom Proxy (Option 2) and the two endpoint systems:

o “External” - RxCheck Central Hub

o “Internal” – PDMP System

The following steps, which are based on a typical configuration process, reflect

general network configuration guidance and may need to be tailored to apply to

specific environments.

o Network Access

Enable the SRS to access the RxCheck Hub

Provide the PMIX RxCheck Administrator with the SRS external

IP address, so they can configure the IJIS network firewall

Configure the networking components:

o Add the necessary network address translation (NAT)

o Add the routing rules needed to route outbound traffic

o If necessary, add any outbound firewall rules

o If the external IP address is “virtual”, ensure any added

routing provisions are implemented

Enable the SRS to access the State PDMP

Configure the networking components:

o Add the necessary network address translation (NAT)

o Add the routing rules needed to route outbound traffic

o If necessary, add any outbound firewall rules

o If the external IP address is “virtual”, ensure any added

routing provisions are implemented

Enable the RxCheck Hub to access the SRS

Provide the PMIX RxCheck Administrator with the SRS

externally accessible IP address used to connect to the listener

Configure the networking components:

o Add the necessary inbound firewall rules

o If the external IP address is “virtual”, ensure any added

routing provisions are implemented

o Domain Name Resolution

RxCheck Hub

Identity the domain name and network address

Ensure the SRS is able to resolve the domain name to the IP

State PMP System

Identity the domain name and network address

Ensure the SRS is able to resolve the domain name to the IP

Telephone: (781) 609-7741 | Fax: (888) 705-8053 | Email: info@pdmpassist.org | Website: www.pdmpassist.org

Step 3: Security

The following outline provides instructions (Windows Server) to help acquire and install

the X.509 certificate for the PMIX SRS (Option 1) or the Custom Proxy (Option 2):

Generate SSL/TLS Custom CSR (if necessary) o Using the Certificates snap-in for computer manager, from the Action menu,

select All Tasks - Advanced Operations and then ”Create Custom Request” o Select “Proceed without enrollment policy”, the (No template) Legacy key

and PKCS #10 for Request format o Configure the following CSR options so to use the certificate for TLS/SSL o On the CSR Form General tab:

Enter the Friendly name o On the CSR Form Subject tab:

In the Subject name area under Type, click Common Name In the Subject name area under Value, enter the fully qualified

domain name of the server In the Alternative name area under Type, click DNS In the Alternative name area under Value, enter the fully qualified

domain name of the server o On the CSR Form Extensions tab:

Under Key usage, in Available options, select Digital signature Under Key encipherment, Extended Key Usage (application policies),

in the Available options, select Server & Client Authentication o On the CSR Form Private Key tab:

In the Cryptographic Service Provider section, deselect all CSPs and select Microsoft RSA SChannel Cryptographic Provider (Encryption).

Under Key options, in the Key size list, select a key size of 2048. Select the Make private key exportable check box.

o Reference: http://technet.microsoft.com/en-us/library/ff625722(v=ws.10).aspx

Import certificates (SRS certificate and any exchange patterns’ certificates) o Using the Certificates snap-in for computer manager, from the Action menu,

select All Tasks, and then select Import to start the Certificate Import Wizard o Type (or navigate to) the file name containing the certificate to be imported o Select "Place all certificates in the following store" and select "Personal"

Ensure the certificates have a Friendly Name o Using the Certificates snap-in for computer manager, navigate to

"Personal\Certificates" and verify the "Friendly Name" is set to the subject

Copy the certificates o Using the Certificates snap-in for computer manager, navigate to

"Personal\Certificates" and copy the newly imported certificate o Then, navigate to "Trusted People\Certificates" and past the certificate

Note: Any secure http URL must include the domain name that matches the certificate

Telephone: (781) 609-7741 | Fax: (888) 705-8053 | Email: info@pdmpassist.org | Website: www.pdmpassist.org

Step 4: Conduct Loopback Testing

Perform a loopback test in which a PDMP simulates both the requesting and

disclosing states. As such, the PDMP sends the PMIX request to their own PDMP

system endpoint via either the PMIX SRS (Option 1) or the Custom Proxy (Option 2).

Note: The response will follow the same steps in the reverse direction

Note: After successfully completing a local loopback test, the test “loop” can be

expanded to include a pass through the RxCheck Hub

Step 5: Integration Testing

Perform integration testing with an exchange partner; the request will flow from the

requesting-state PDMP application to the requesting-state SRS (Option 1) or the

Custom Proxy (Option 2), to the RxCheck Hub, to the disclosing-state PDMP

application (note: the response will follow the same steps in the reverse direction)

Step 6: Springboard Testing (Optional, Option 2 Only)

Conduct Springboard Conformance Testing to validate the interoperable aspects of

the service interface specification in order to assert that a participating system

conforms to the PMIX Specification. The conformance specification and the

associated test cases define a series of tests designed to exercise each

interoperability aspect of the specification at least once.

Telephone: (781) 609-7741 | Fax: (888) 705-8053 | Email: info@pdmpassist.org | Website: www.pdmpassist.org

Appendix A: Pre-Installation Checklist

The following architecture diagram and pre-installation checklist table will orient the

deployment team by identifying important system information prior to the software

installation and configuration.

Figure 2: Typical PMIX Component Architecture Overview

ID Description Value

1. SRS Service Host Base URL Address

1.1 Domain Name:

1.2 IP Address:

2. RxCheck Hub Service Host URL Address https://test.rxcheck.org:18803/2010/12/pmx/router

2.1 Domain Name: test.rxcheck.org

2.2 IP Address:

3. SRS RxCheck Hub Listener URL Address https://

3.1 Domain Name:

3.2 IP Address:

4. New site PDMP Application URL Address

4.1 Domain Name:

4.2 IP Address:

5. New site unique qualifier (NW)

6. Exchange partner unique qualifier (EP)

A. The new site’s PMIX SRS certificate

B. The partner site’s PMIX SRS certificate

# Network Configuration (Firewall, Router)

Table 1: Pre-Installation Checklist

PMIX

SRS

RxCheck

Hub

PDMP

O

C

New (NW)

Site

Exchange

Partner (EP)

1 2

4 3

A B

56

#

Telephone: (781) 609-7741 | Fax: (888) 705-8053 | Email: info@pdmpassist.org | Website: www.pdmpassist.org

Appendix B: PMIX SRS AdminConsole Overview

The following screen images show how the checklist data values collected prior to

installation can be entered into the AdminConsole. For additional information, refer to the

AdminConole documentation.

Figure 3: Service Endpoint Configuration Screen

Figure 4: Client Endpoint Configuration Screen

Figure 5: Digital Certificate Configuration Screen

Telephone: (781) 609-7741 | Fax: (888) 705-8053 | Email: info@pdmpassist.org | Website: www.pdmpassist.org

Appendix C: Implementation Plan Template

Server Administration (~ 1 hours)

Install the latest version of the .NET Framework

Install the latest version of the PMIX State Routing Service (SRS)

Install & configure Windows IIS Server Role

Install the latest version of the PMIX Admin Console

Install the latest version of the PMIX RAS Service

Establish a PMIX SRS LDAP Directory Structure

Configure the PMIX SRS LDAP Directory Service

Network Administration (~ 1 hours)

Configure the SRS to RxCheck Hub (Outbound) network

Configure the SRS to State PDMP (Internal) network

Configure the RxCheck Hub to SRS (Inbound) network

Establish Domain Name (DNS) Resolution

Security Administration (~ 1 hours)

Generate SSL/TLS Custom CSR (if necessary)

Import the certificate to Personal Store

Ensure the certificates have a Friendly Name

Copy the certificate to Trusted People Store

Bind the certificate to the SRS HTTP endpoint

Testing (~ 1 hours) Verify State PDMP outbound request/response via SRS to disclosing site

Verify State PDMP inbound request processing through SRS from requesting site

Telephone: (781) 609-7741 | Fax: (888) 705-8053 | Email: info@pdmpassist.org | Website: www.pdmpassist.org

Additional Resources

PMIX National Architecture Overview

PMIX National Architecture version 1.0

PMIX Springboard Service Conformance Package

MOU Guideline for Interstate Data Sharing

Sample MOU for the Exchange of Live Patient Data